From owner-freebsd-net Wed Sep 19 5: 6: 9 2001 Delivered-To: freebsd-net@freebsd.org Received: from mail1.hub.org (webmail.hub.org [216.126.85.1]) by hub.freebsd.org (Postfix) with ESMTP id BA8E837B419; Wed, 19 Sep 2001 05:06:03 -0700 (PDT) Received: from localhost (scrappy@localhost) by mail1.hub.org (8.11.3/8.11.4) with ESMTP id f8JC5aE62218; Wed, 19 Sep 2001 08:05:36 -0400 (EDT) (envelope-from scrappy@hub.org) Date: Wed, 19 Sep 2001 08:05:36 -0400 (EDT) From: "Marc G. Fournier" To: Krzysztof Zaraska Cc: , Subject: Re: ipfw problems ... In-Reply-To: Message-ID: <20010919075409.G30377-100000@mail1.hub.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 19 Sep 2001, Krzysztof Zaraska wrote: > First, is there any specific reason for allowing only specific 900 subnets > instead of the whole 'cost nothing' network? How big is this network? How > would this increase the risk? CA*Net3 vs "commercial net" traffic ... > Second, with that number of networks, it is probable that at least some of > them have the same prefix; for example > 10.10.0.0/16 > 10.11.0.0/16 > can be matched with 10.10.0.0/15. This may bring down the number of rules. > Continuing from previous point, if all class B networks are on the same > network block (having, say 1024 class B networks) you may allow whole > block and disallow only 124 subnets. That would bring the number of > relevant rules down to 125. Actually, I've already done that :( Some areas, I've been able to get her down to /12 ... so imagine the number of rules if I *hadn't* done that ... > Third, take into account that since ipfw takes 'first matching rule > wins' approach, you will get performance boost by moving more > frequently used and more general rules "up" in the ruleset. For > example, if you move the rule from position 700 to 200 packet will be > matched only against 200 rules instead of 700. Thought about, but not possible ... unless I'm mis-understanding something ... these rules are the exceptions ... "if none of these b-class networks isn't matched, *then* shape the bandwidth for anything not in there" ... Is there someway of creating a 'group', similar to /etc/networks, where its one rule with many addresses in it? > Fourth, if you have any "keep-state" rules, each of them effectively > generates new "dynamic" rules. In order to improve performance with > TCP connections you may try to switch to TCP flag-based approach > (keywords "setup" and "established"). This will save you from > additional growth of ruleset, but may open you to the TCP ACK scan (I > haven't verified it) which exposes inside network topology. Not using any 'keep-state' rules ... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message